The Red Condor security team today issued a warning of a new sophisticated email malware threat that is disguised as misdirected personal emails with executable attachments.
The spam messages, which have a variety of subject lines, including “You are in invited to another show!”, “FW: Resume as discussed” and “FW: Car & Car loan” appear to consist of content that was likely stolen from compromised email accounts and computers and appear to have multiple connections with the ongoing one-click plug-and-play (PNP) malware campaigns that Red Condor has been monitoring the past several months.
Red Condor also identified a possible source of the spam payloads at compromised accounts on the social media/networking site, Multiply.com. The executables in this new campaign have been identified as TR/Dropper.Gen / FraudTool.Win32.AVSoft (v) / Malware-Cryptor.Win32.Limpopo. At the time this campaign was blocked, only 4 out of 41 anti-virus engines had detected the malware.
Among the commonalities between this new spate of spam and the one-click malware campaigns are the following:
- Both are being used to distribute similar malware strains (Bredolab for the attached executables and Zeus for the drive-by) both of which are associated with Fake AV applications at some point in the infection cycle. Although, because these are Trojans, any cocktail of malware can be downloaded and installed once a foothold into a victim’s system is achieved.
- Both employ new strains of malware that are for the most part undetected by AV engines.
- Both appear to be primarily designed to compromise computers instead of advertising goods and services.
- Both employ novel social engineering hooks such as spoofing brands (for PNP) or “misdirected personal communications” to entice recipients to perform the call to action.
- The strongest link is the co-occurrence of the payloads showing up on a narrow set of compromised blog accounts at the free blog hosting site, Multiply.com.